DLP Implemented in SaaS environment

Kalonji Guillory
Kalonji Guillory used Ask the Experts™
on
How DLP should be implemented in various SaaS solutions?

A bullet point response would be great.


Thanks,
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Exec Consultant
Distinguished Expert 2018
Commented:
We can look at 3 type of deployment:
  1. - Via an endpoint agent embedded in the cloud instance or the hypervisor,
  2. - Via routing traffic through a dedicated DLP server or appliance outside the cloud, or
  3. - Via running a cloud instance of a DLP server and routing traffic through it.

You should engage your DLP vendor as they would have scale out to the cloud capabilities - for those Enterprise DLP
  • - I tends to see it is likely a on premise and cloud based hybrid mixed
  • - Above options can all be applicable depending where your asset are and exchanging data across the platform.

Some suggestion to checks and considerations for your on premise enhancement to connect to the cloud
  1. - Identify the chokepoint (egress/ingress) points to the cloud.
  2. - Segregate the segment with has external connection. Maybe like DMZ to internet. Can be another private leased network
  3. - Check connectivity to the cloud subscribed or managed under you oversight
  4. - Assess the secure channel posture e.g. VPN for point to point secure channel to the Cloud infrastructure
  5. - Implement a CASB  (cloud access security broker) as your bouncer to inspect all traffic traversing in and out of this network
  6. - Prior to CASB inspection, need to decrypt as secure (e.g. TLS) connection to the internet or external network
  7. - Manage the cloud portal access on the traffic bandwidth
  8. - Have a SOC or IT Ops team watching over the alert from CASB  for response
  9. - Need regular scan on the network and connection for any vulnerability and keep it updated in security patches

Other considerations,
  • - If you are on public cloud, you are unlikely to restrict network routing to the degree with DLP offers on premise
  • - Hence rely more on an agent-based approach to put into cloud instance and endpoint (allowed to connect to cloud).
  • - Move to private or virtual private clouds, so you have more control similar to on premise DLP
  • - Main thing to gain control to lock down traffic and endpoint so that DLP can still be deployed and be monitored.

Below would be the portfolio of the services to be managed
  1. Endpoint DLP as a Service - with Application Control
  2. Network DLP as a Service
  3. Data Discovery with Data Classification as a Service
  4. Cloud DLP as a Service
  5. Information / Digital Rights Management as a Service

Specific to capability, you should be asking for
  1. Content- and context-aware monitoring and inspection policies
  2. Detailed activity logging and reporting
  3. Device-level control
  4. Auditing, alerting, prompting, blocking, and removing remediation actions
  5. Encryption of sensitive data prior to cloud upload
  6. API integration with cloud storage providers to extend data security policy enforcement to the cloud
Some possible provider include Digital Guardian, Symantec, GTB Tech

https://digitalguardian.com/products/saas
https://www.symantec.com/content/dam/symantec/docs/white-papers/extend-your-dlp-to-the-cloud-en.pdf
https://gttb.com/cloud-dlp-2/

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial